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I submit this Report in the above-captioned action on behalf Ira Kleiman, as the personal 
representative of the Estate of David Kleiman, and W&K Info Defense Research, LLC 
(collectively, “Plaintiffs”). 

If called as a witness, I could and would testify to the truth of these facts and opinions 


under oath. 


I. BACKGROUND AND QUALIFICATIONS 


1. I am over the age of eighteen (18), not a party to this action, and currently reside in 
New York, NY. My education, training, and experience fully qualify me to make the statements 
contained in this Report. 

ai I received a B.S. in Computer Science from Baylor University in 2005, a MLS. in 
Computer Science from Rensselaer Polytechnic Institute in 2007, and a Ph.D. in Computer Science 
from Rensselaer Polytechnic Institute in 2011. 

ee I have authored or co-authored multiple research papers in peer-reviewed 
conferences and journals related to techniques for cryptographic security and authentication in 
wireless networks, and the design, implementation, and analysis of anonymous communication 
systems on the Internet. 

4. As a Lead Cyber Security Engineer at The MITRE Corporation I supported the 
FBI’s Remote Operations Unit in the technical efforts of identifying the Tor hidden service hosting 
the Silk Road marketplace. I subsequently provided on-site support to the FBI’s New York field 
office to affect the seizure of bitcoins located on Silk Road servers and Ross Ulbricht’s personal 
laptop and other devices, as well as the Silk Road webserver itself. Later, as a Senior Director at 
FTI Consulting, I provided consulting to the U.S. Attorney’s Office for the Southern District of 


New York in which I analyzed digital forensic evidence collected as part of the investigation to 


Case 9:18-cv-80176-BB Document 500-2 Entered on FLSD Docket 05/09/2020 Page 4 of 64 


establish substantial and ongoing links between bitcoin wallets identified on Silk Road servers and 
Ulbricht’s personal bitcoin wallets, which was presented at Ulbricht’s trial. 

5. I have served as an invited member of the technical program committee for the 
Association for Computing Machinery’s Conference on Computer and Communications Security. 
I have also served as an invited member of the technical program committee for the International 
Financial Cryptography Association’s International Conference on Financial Cryptography and 
Data Security. Additionally, I have served as an external reviewer for several academic 
conferences and journals, including The Institution of Engineering and Technology’s Information 
Security Journal and the Privacy Enhancing Technologies Symposium. 

6. Since 2015, I have been a Director in the Cyber Security & Investigations practice 
at Berkeley Research Group, LLC (“BRG’’), a global strategic advisory and expert consulting firm. 
I regularly provide expert consultation to clients regarding computer and network security, as well 
as conduct cyber incident response and investigative analysis. 

Te From 2014 to 2015, I was a Senior Director in the Cyber Security & Investigations 
Group of FTI Consulting, Inc.’s Global Risk and Investigations Practice. I worked on numerous 
matters related to computer and network security, and forensic evidence collection and analysis. 

8. From 2013 to 2014, I was a Senior Vulnerability Engineer in Bloomberg LP’s 
Vulnerability Analysis Team. I focused on data security and worked to protect sensitive data from 
both internal and external threats through continuous cyber security research and testing of the 
firm’s network infrastructure, websites, software, and mobile applications. 

0: From 2009 to 2013, I was a Lead Cyber Security Engineer in The MITRE 
Corporation, a federally funded research and development center, where I specialized in research 


and development of systems for anonymous communication on the Internet. 
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10. I hold a current AccessData Certified Examiner credential, which is a certification 
recognized in the field of digital forensics. 


II, A copy of my curriculum vitae is attached below as Exhibit 1. 


Il. SUMMARY OF OPINIONS 

12. __ I have been asked to analyze certain documents submitted by Craig Wright (the 
“Defendant’”) in this litigation and determine, to the extent possible, whether they are authentic, 
including but not limited to whether the documents and/or their associated metadata have been 
manipulated or altered since their creation. As part of this analysis, I analyzed the original “native” 
files associated with these documents and their associated metadata. Additionally, some of the 
documents I reviewed contained cryptographic signatures, which I also analyzed. 

13. My analysis determined that certain documents produced by the Defendant in this 
litigation were manipulated — including a number of emails that were purportedly sent by Dave 


Kleiman — and are, therefore, not authentic. 


Hl. MATERIALS REVIEWED AND INFORMATION CONSIDERED 
14. In forming the opinions expressed in this Report, I have relied on my own 
education, knowledge, experience, and training in computer science, as well as my specific 
education, knowledge, experience, and training in the fields of applied cryptography and digital 
forensics. In addition to the documents cited and information provided in this Report, I have also 
considered the documents listed at the end of this Report in forming my opinion. 
15. | I may review additional documents and information produced by the Parties, as 


well as deposition testimony provided after the submission of my Report, if any. 
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IV. METHODOLOGY 


16. The methodology for analyzing the documents described in this report generally 
comprises the following components: (i) reviewing the “human-readable” contents of the 
documents (e.g. the visible text in an email or PDF file), (11) analyzing the internal ““machine- 
readable” code or structure contained within the documents’ native files (e.g. the object code 
within a PDF file), and (i11) identifying and extracting metadata about the documents (e.g. 
information about how the documents were created, when, and by whom). 

17. | Some documents I reviewed also included cryptographic signatures within the 
visible contents of the documents or embedded in their internal structure. A cryptographic 
signature is a mathematical technique for certifying and subsequently verifying the origin and 
authenticity of arbitrary computer data, such as a file, email, or other electronic document. The 
signature thus allows the recipient to verify the data (1) originated from the expected sender and 
(11) has not been altered. Additionally, a cryptographic signature can also include other information 
about the signature, such as the identity of the individual and/or program that created the 


cryptographic signature and a timestamp indicating when that signature was created. 


V. DOCUMENT ANALYSIS 


A. DEF_00002413 
18. [reviewed DEF_00002413, which is a PDF of a purported email sent from Dave 
Kleiman to the Defendant on June 24, 2011 attaching certain documents related to the Tulip Trust. 


(Fig. 1.) I understand that the Defendant has sworn to the authenticity of this document through a 
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declaration submitted to this Court. (Ex. 2.) I also understand that this document was produced by 


the Defendant as a scan of a hard copy paper document in this litigation. 


FIGURE 1. DEF 0002413 













Requested attached, 
Date: Priday, 24 June 2011 12:04:57 PM 
Attachments: Tullo Trust.odfas¢ 

Tullo Trust. odf.tar.as¢ 


Tulip Trust.pdf 
Importance: High 





Craig, 
[ think you are mad and this is risky, but I believe in what we are trying to do. 


Respectfully, 





Dave Kleiman - 





19. Lalsoreviewed DEF 00013189 and DEF 00013459, which are PDF files produced 
by the Defendant in this litigation. As shown in Figures 2 and 3, the text of DEF 00013459 and 
DEF 00013189 is identical to that of the purported email in DEF 00002413, except the date of 
the purported email in DEF 00013459 is October 17, 2014 instead of June 24, 2011. 

20. extracted the three attachments from DEF 00013189 and DEF 00013459 which 
are identified in the “Attachment” line of the email files. I compared the hash values! of the 
attachments I extracted from both PDFs and determined the attachments in DEF 00013189 were 


identical to those in DEF 00013459. Further, the text of “Tulip Trust.pdf” that I extracted from 


' Hash values (or simply “hashes”) represent large amounts of data as much smaller numeric 
values, such that (i) a small change to the input data results in a large change in the hash value, 
and (11) it is impractical to determine the input data from just the hash value. Hashes are commonly 
used with cryptographic signatures. 
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the two documents is identical to the version attached to the paper scans as Bates numbers 


DEF _00002414-15 that the Defendant swore were authentic. 


FIGURE 2. DEF _ 00013459 


(rag 


I think you are mad and this is msky. but I believe im what we are trying to do 


Respectfully 


Dave Kieman - bitp www. ComputerForensicE xamumer com - itp www DigitalForensicE xpert com 





FIGURE 3. DEF 00013189 


Craig 


I think you are mad and this is msky, but I believe in what we are trying to do 


Respectfully 


Dave Kieiman - bitp www Commuter Forensic Examumer com - binp www DigitalForensic Expert com 
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21. LT extracted the metadata associated with DEF_00013189 and DEF 00013459 using 
a hex editor.” I have attached the relevant outputs that I analyzed at Exhibits 3 - 4 (DEF_00013189) 
and Exhibits 5-10 (DEF_00013459). The metadata contained within the PDF files associated with 
Exhibits 3-4 and Exhibits 5-10 contain DocumentID and InstanceID attributes. A PDF’s 
“DocumentID” is a common identifier used to associate multiple versions or revisions of a 
particular document, whereas the “InstanceID” is a unique identifier assigned to a specific version 
or revision of that document. I determined that DEF 00013189 and DEF 00013459 contain the 
same DocumentID but different InstanceID values, which indicates that they are different versions 
of the same original document. 

22. Based on my review of Exhibits 5-10, it is my opinion that DEF 00013459 was 
created by exporting an email from Microsoft Outlook to PDF. The metadata contained in 
DEF _ 00013459 indicates the original email was sent on or around October 17, 2014 by an 
individual using the email account ni Cit and from a computer named 
PCCSW01. It then passed through multiple email servers before being delivered by a server in the 
time zone UTC-5 to the same address that sent it, ri Cit. Once the email was 
exported to PDF, the resulting PDF was modified to appear as if Dave Kleiman had sent the email 
to Craig Wright. 

23. Exhibits 5-6 further shows that the purported email in DEF_00013459 was created 


using Microsoft Outlook 15.0. I reviewed the Microsoft Outlook version history from a support 


? A hex editor is a software program that allows the user to see or edit the raw and exact contents 
of a file, as opposed to the interpretation of the same content that other, higher level application 
software may associate with the file format. For example, this could be raw image data, in contrast 
to the way image editing software would interpret and show the same file. 
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page on microsoft.com. (Ex. 11.) Based on my review of Microsoft Outlook’s version history, I 
determined that Microsoft Outlook 15.0 was not released to the general public until January 2013. 

24. Exhibits 5-6 also contain an IP address associated with the individual who sent the 
original email from within Microsoft Outlook. That IP address is rie I looked up certain 
information related to that IP address using the MaxMind GeoIP2 Precision service, which is a 
publicly available service used to identify certain geographical information associated with a 
particular IP address. The GeoIP2 Precision service shows the IP address is associated with Eastern 
Australia. (Ex. 12.) 

23: Based on my review of Exhibits 3-4, it is my opinion that DEF 00013189 was 
created by making further edits to DEF_ 00013459. Specifically, the PDF was modified to make it 
appear as if the email was sent on June 24, 2011. 

26. —_Lalso reviewed DEF_ 00079344, which is an email file produced by the Defendant 
as a .msg? file a few days before the June 28, 2019 hearing in this matter. The text of 
DEF _00079344 is identical to the text in DEF_00002413 and DEF 00013189. 

27. I extracted the email header information associated with DEF_00079344 which is 
attached at Exhibit 13. The email header contains a timestamp added by Google which is encoded 
in milliseconds as a “Unix epoch” timestamp.’ The timestamp indicates the purported email in 
DEF _ 00079344 was received by Google’s email server on or about October 24, 2012, over a year 


after the date of the alleged email in DEF_00079344 and DEF_00002413. (Ex. 14.) 


> A .msg file is an email file format commonly associated with Microsoft Outlook. It typically 
includes not only the content of the email, but also email “header” information and any attachments 
included with the email. 

4 A “Unix epoch” timestamp (or sometimes just “Unix timestamp”) is a numeric value indicating 
the time elapsed since midnight on January 1, 1970 UTC. It is usually expressed in seconds but 
can also be expressed in milliseconds. 


10 
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28. Accordingly, it is my opinion that DEF_00002413 is not an authentic document, 
but is a forgery created from an email that was sent from craig@ i to 
craig @ ER on or about October 17, 2014 and then modified to make it appear as if 


the email was sent from Dave Kleiman on June 24, 2011. 


B. DEF _00013188 

29. — reviewed DEF_00013188, which is a purported email sent from Dave Kleiman to 
the Defendant on April 2, 2013 in which Dave allegedly accepts a role at Coin-Exch. 
DEF _00013188 was produced by the Defendant as a PDF file. 

30. I extracted and analyzed the metadata associated with DEF 00013188. (Ex. 15) 
The extracted metadata indicates that DEF 00013188 contains the same Document ID as 
DEF_00013459 and DEF 00013189, but a different InstanceID, which indicates DEF_00013188 
is another revision of the same document. 

31. I also reviewed the cryptographic signature contained within DEF 00013188. I 
used GnuPG to extract certain information from the GPG signature. GnuPG is a free software 
program that can be used to encrypt, decrypt, and cryptographically sign and verify documents 
and other electronic information. I have attached the GnuPG output associated with this 
cryptographic signature at Exhibit 16. The timestamp from the cryptographic signature contained 
within DEF 00013188 indicates that the signature was created on or about October 23, 2014, 
according to the computer on which the signature was created—over a year after Dave Kleiman 
died. 

32. Exhibit 16 also indicates that the key used to create the cryptographic signature in 
DEF _ 00013188 is the same key used to create the cryptographic signature in DEF 00002416 of 


the “Tulip Trust.pdf” file allegedly sent by Dave Kleiman to Craig Wright in June 2011. (Ex. 17.) 


11 
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33. Based on my review of the metadata contained in Exhibit 15 and the information 
associated with the cryptographic signature, it is my opinion that DEF 00013188 is not an 
authentic email sent by Dave Kleiman in April 2013, but is a forgery created by further modifying 
DEF _00013189 to make it appear as if the email was sent from Dave Kleiman to the Defendant 


on April 2, 2013. 


Cc, DEF _00050985 

34. I reviewed DEF_ 00050985, which is a purported Deed of Trust between Wright 
International Investments Ltd and Tulip Trading Ltd dated October 23, 2012. I understand that the 
Defendant has sworn to the authenticity of this document through a declaration submitted to this 
Court and referred to it as Tulip Trust 1. (Ex. 2.) DEF_00050985 was produced by the Defendant 
as a PDF file. 

35. I extracted and analyzed the metadata associated with DEF 00050985. (Ex. 18.) 
The metadata indicates the PDF was allegedly created on October 22, 2012 at 9:09:53 AM 
DICrit. 

36. I extracted five embedded font files contained within the PDF itself. These font 
files each contained cryptographic signatures from Microsoft that indicate the fonts themselves 
were not created until 2015. (Exs. 19-23.) Each of these font files also contained copyright 
information which indicated they were copyrighted in 2015. (Ex. 24.) 

37. It is not possible for a PDF that was created in 2012 to contain embedded font files 
that did not exist until 2015. Accordingly, it is my opinion that DEF 00050985 is not an authentic 


document and was not created until at least May 22, 2015. 


12 
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D. DEF_00027291 

38. Ireviewed DEF 00027291, which is a PDF of a purported email exchange between 
Dave Kleiman and the Defendant in September and October 2012 regarding an alleged Seychelles 
trust. 

39. There are two cryptographic signatures visible in DEF 00027291, both allegedly 
created by Dave Kleiman. I used GnuPG to extract certain information from the signatures. (Exs. 
25-26.) The data associated with these GnuPG outputs indicates that the cryptographic signatures 
associated with DEF 00027291 were created in February and March 2014, respectively, according 
to the computer on which the signatures were created — more than a year after the date associated 
with the exchange in the text of the PDF and almost a year after Dave Kleiman died. 

40. The cryptographic signature on page | of the PDF also contains the version number 
of the GnuPG program purportedly used to create it: “GnuPG v2.0.20 (MingW32).” However, 
based on my review of the GnuPG version history, GnuPG v2.0.20 was not released until May 10, 
2013, (Ex. 27.) 

41. Accordingly, it is my opinion that DEF 00027291 does not appear to be an 


authentic email from Dave Kleiman to Craig Wright but instead appears to be manipulated. 


E. DEF _00028008 
42. I reviewed DEF 00028008, which contains a purported email sent by Dave 
Kleiman to the Defendant in October 2012 regarding a purported list of keys allegedly held in a 


trust. DEF 00028008 was originally produced by the Defendant as a .mht file. 


> The Defendant later produced a .msg file corresponding to this email; however, given that the 
alleged email from Dave Kleiman was “forwarded” to John Chesher and CC’ed to Ramona Watts, 
any email header information contained therein reflects the email from Craig Wright and not the 
alleged email from Dave Kleiman. 


13 
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43. DEF 00028008 contains a cryptographic signature allegedly created by Dave 
Kleiman. I used GnuPG to extract and analyze certain information from the GPG signature and I 
have attached that output at Exhibit 28. The GnuPG output indicates that the cryptographic 
signature associated with DEF 00028008 was created on or about March 2, 2014 according to the 
computer on which the signature was created—approximately one year after Dave Kleiman died. 

44. Accordingly, it is my opinion that DEF 00028008 does not appear to be an 


authentic email from Dave Kleiman to Craig Wright but instead appears to be manipulated. 


F. DEF _00056406 

45. I reviewed DEF 00000204, DEF_00013376, and DEF 00023252, each of which 
contains a series of Bitmessages purportedly sent by Dave Kleiman to the Defendant. Bitmessage 
is a decentralized and encrypted communications protocol that can be used by one person to send 
encrypted messages to another person. Some of these messages display sent or received dates that 
pre-date November 19, 2012. 

46. J interviewed Jonathan Warren (the creator of Bitmessage) via telephone on June 
25, 2019, and also reviewed the Bitmessage software’s revision history on GitHub.° Based on my 
review, I determined that the Bitmessage software was not made publicly available until November 
19, 2012. 

47. Jalso have reviewed Jonathan Warren’s deposition taken on July 24, 2019. Based 
on my review, I determined that that the Bitmessage “white paper” was not published until after 
the Bitmessage software was posted to Github, that Warren had not shared the Bitmessage software 
or source code with anyone prior to posting it on Github on November 19, 2012, and that it would 


not have been possible for anyone except Warren to run Bitmessage prior to that date. (Warren 


6 https://github.com/Bitmessage/PyBitmessage 





14 
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Dep. at 12:1—15:6.) Based on my review I also determined that version 4 Bitmessage addresses 
were not available before August 12, 2013. (/d. at 22:4—7.) 

48. I also reviewed the Bitmessage addresses saved in the Defendant’s address book 
that are associated with Dave Kleiman and Craig Wright which were produced by the Defendant 
as DEF_ 00013147. I determined that both of these addresses are “version 4” Bitmessage addresses. 
I then reviewed the GitHub commit history for Bitmessage and determined that support for version 
4 addresses was not introduced until August 2013—almost a year after the messages were 
purportedly sent and approximately four months after Dave Kleiman died. 

49. As these alleged Bitmessages are dated prior to the release of the Bitmessage 
software itself and are sent and received from version 4 addresses, it is my opinion that 
DEF _ 00000204, DEF_00013376, and DEF 00023252 each contain Bitmessages that are not 
authentic messages sent from or to Dave Kleiman, but have been manipulated to appear that way. 
Specifically, the messages in these documents dated October 22, 2012, November 6, 2012, 
November 7, 2012, November 8, 2012, November 11, 2012, and November 13, 2012 are not 


authentic messages sent from or to Dave Kleiman. 


G. DEF _00051013 
50. I reviewed DEF 00051013, which is a PDF of a purported invoice from High 
Secured.com dated May 25, 2015. I understand that the Defendant has sworn to the authenticity 
of this document through a declaration submitted to this Court. (Ex. 2.) 
51. I reviewed DEF _ 00051013 by analyzing the internal structure of the PDF file. I 


have attached the relevant outputs at Exhibit 29. 


15 


Case 9:18-cv-80176-BB Document 500-2 Entered on FLSD Docket 05/09/2020 Page 16 of 64 


52. Based on review of these outputs, it is my opinion that DEF 00051013 was 
manipulated and therefore is not authentic. I have attached as Exhibit 30 a demonstrative 


identifying in red all edits that were made to the invoice. 


H. DEF _00022263 

53. Ireviewed DEF_00022263, which is a PDF of a purported email exchange between 
Dave Kleiman and Craig Wright on or about December 15, 2012 regarding the potential purchase 
of a shelf company. 

54. I extracted and analyzed the metadata contained within DEF 00022263. (Ex. 31.) 
The metadata indicates that the PDF was created on March 26, 2014 at 1:19 PM (UTC+11) from 
an email in Microsoft Outlook. The PDF was last modified approximately 2 minutes later at 1:21 
PM. I analyzed the internal structure of the PDF file and identified TouchUp_ TextEdit markers 
indicating that modifications had been made to the body of the document. (Ex. 32.) 

one The visible content of the PDF contains a cryptographic signature allegedly created 
by Dave Kleiman. I analyzed the signature using GPG and determined the signature was created 
on or about March 2, 2014 according to the computer on which it was created—approximately one 
year after Dave Kleiman died. (Ex. 33) 

56. Based on the above findings, it is my opinion that DEF_00022263 was manipulated 


and is therefore not authentic. 


I. DEF _00022274 
57. [reviewed DEF_ 0002274, which is a PDF of a purported email exchange between 
Dave Kleiman and Craig Wright on or about December 6, 2010 regarding the setup of a trust and 


the use of certain source code. 


16 
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58. The first email in the exchange was sent by Dave Kleiman to two email addresses 
associated with Craig Wright: craigswright@] and cma = esé*@ The last 
message in the exchange was sent from craig @ it an undisplayed address associated with 
Craig Wright. 

59. I reviewed the domain registration records for panopticrypt.com and rejbr.org using 
the DomainTools service. (Exs. 34 and 35, respectively.) Based on the information provided by 
DomainTools, I determined that the domain panopticrypt.com was first registered on or about June 
18, 2011, and rejbr.org was first registered on or about November 2, 2011. In other words, neither 
domain existed at the time the purported email exchange allegedly occurred in December 2010. 

60. Based on the above findings, it is my opinion that DEF_ 0002274 was manipulated 


and is therefore not authentic. 


J. DEF _00027287 and DEF_00027288 

61. [reviewed DEF _ 00027287, which is a PDF of a purported email sent from “Dave 
Klieman (sic)” to Uyen Nguyen on or about 8:19:03 AM on Thursday, December 20, 2012 in 
which Dave allegedly offers Uyen a role as a director of W&K Information Defense Research 
LLC. [also reviewed DEF_00027288, which is a PDF of a second purported email sent from Dave 
to Uyen less than an hour later in which Dave thanks Uyen for accepting the role. 

62. I extracted and analyzed the metadata associated with DEF 00027287 and 
DEF 00027288 (Exs. 36 and 37, respectively.) The metadata associated with DEF 00027287 
indicates the PDF was created on or about April 17, 2014 at 8:23:41 AM using Acrobat PDFMaker 
11 for Microsoft Outlook on a computer whose time zone was consistent with Sydney, Australia 


(UTC+10), and then modified less than five minutes later. 


17 
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63. The metadata associated with DEF 00027288 indicates the document was created 
at the exact same date and time as DEF 00027287, but the ModifyDate fields indicate that 
DEF _ 00027288 was modified approximately five minutes after DEF_00027287 was last modified. 
Further, DEF 00027287 and DEF 00027288 contain the same DocumentID but different 
InstanceID values, which indicates that they two versions of the same original document. 

64. I analyzed the internal structure of DEF 00027287 and DEF 00027288 and 
identified several changes that had been made to both PDFs after they were created. (Exs. 38 and 
39, respectively.) In particular, the internal structure of DEF 00027287 indicates that the text 
associated with the “From:”, “To:”, and “Date:” fields at the top of DEF_ 00027287 were edited as 


shown in Figure 4. 


FIGURE 4. Screenshot of the rendered PDF from DEF 00027287 with the corresponding text 
modifications made to the email header highlighted in red. 








From: Dave Klieman 
Subject: Apppointment letter | 
Date: Thursday, 20 December 2012 8:19:03 AM 





65. | Icompared the edits made in DEF 00027288 to those made in DEF 00027287 and 
determined that the “Date:” field was modified to make it appear as if it were sent less than an 
hour after DEF_ 00027287 was allegedly sent. Additionally, the body of the email was altered from 
the body of the email contained in DEF 00027287. 

FIGURE 5. Screenshot of the rendered PDF from DEF 00027288 with the previous text 


modifications from DEF 00027287 highlighted in red and the subsequent modifications made in 
DEF 00027288 highlighted in blue. 








| From: Dave Klieman 

To: Uyen Nguyen Se 
| Subject: Apppointment letter 

Date: Thursday, 20 December 2012 9:11:14 AM 
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66. The visible content of DEF 00027287 also contains a cryptographic signature 
purportedly created by Dave Kleiman. I extracted and analyzed the cryptographic signature using 
GPG. (Ex. 40.) The GnuPG output indicates the signature was created on or about March 12, 2014 
according to the computer on which the signature was created; (ii) the signature was created with 
Key ID B885B17AC45BED1B which is purportedly associated with Dave Kleiman; and, (iii) the 
signature matches the content of the email shown in DEF 00027287. DEF 00027288 does not 
contain a cryptographic signature. 

67. I also reviewed DEF 00030487, which is a copy of an email sent from 
craig. wight to craig. wright on or about April 16, 2014 at 
10:21 PM UTC. The content of the email is identical to the content of DEF 00027287, including 
the cryptographic signature. The email also contains the same misspelled “Subject” line, which 
reads “Apppointment (sic) letter.” 

68. I extracted and analyzed the email headers associated with DEF 00030487. (Ex. 
41.) The email headers indicate the message originated from IP address 58.160.32.123, which is 
associated with Eastern Australia according to MaxMind’s GeolP Precision service. (Ex. 42.) 

69. Based on the findings above, it is my opinion that DEF 00027287 is a forgery 
created from an email sent by the Defendant to himself in April 2014 and modified to appear as if 
it was sent from Dave Kleiman to Uyen Nguyen in December 2012. DEF 00027288 is also a 
forgery created approximately five minutes after DEF 00027287 by subsequently modifying 
DEF _ 00027287 to make it appear as if it was a second email sent from Dave Kleiman to Uyen 


Nguyen approximately an hour later. 


19 


Case 9:18-cv-80176-BB Document 500-2 Entered on FLSD Docket 05/09/2020 Page 20 of 64 


K. DEF _00027300 

70. | Ireviewed DEF 00027300, which is a PDF of a purported email exchange between 
Dave Kleiman and Craig wright on or about June 27, 2011 in which Craig makes several 
allegations about the Australian Tax Office (“ATO”) and an ATO employee named Adam 
Westwood. 

71. Lextracted and reviewed the PDF metadata contained within DEF 00027300. (Exs. 
43-44.) The metadata indicated the document was created using Acrobat PDFMaker 11 for 
Microsoft Outlook on or about April 17, 2014 at 2:46 PM in a time zone associated with eastern 
Australia (UTC+10). The metadata objects further indicated that the PDF was modified at least 
twice: once at 3:11 PM (approximately 25 minutes after it was created), and again six minutes later 
at 3:17 PM. (Exs. 43 and 44, respectively.) Both modifications were made on a computer whose 
time zone was UTC+10. 


FIGURE 6. PDF object code extracted from DEF 00027300 which contains references to a 
mailing list that is not associated with the body of the purported email. 





23 57 24 225 25 369 26 511 27 668 28 822 3@ 972 31 1154 [23 @ R 24 @ R 25 @ R 26 @ R 27 
28 @ R 30 @ R 31 @ R]<</A<</S/URT/URI( 

)>>/BS<</S/S/Type/Border/W @>>/Border[@ @ @]/Rect[156.@ 770.0 317.0 
779.0]/Subtype/Link/Type/Annot>><</A<</S/URI/URI (mailto: dave@davekleiman.com) >>/BS<</S/S/Ty 
pe/Border/W @>>/Border[® @ @]/Rect[362.0 770.0 407.0 
779.@]/Subtype/Link/Type/Annot>><</A<</S/URI/URI (mailto: craig@integyrs.com) >>/BS<</S/S/Type 
/Border/W @>>/Border[® @ @]/Rect[156.0 760.0 293.6 
769.@]/Subtype/Link/Type/Annot>><</A<</S/URI/URI (http: //www. computerforensicexaminer.com/)> 
>/BS<</S/S/Type/Border/W @>>/Border[® @ @]/Rect[143.@ 627.0 319.0 
638.0]/Subtype/Link/Type/Annot>><</A<</S/URI/URI (http: //www.digitalforensicexpert.com/)>>/B 
S<</S/S/Type/Border/W @>>/Border[@ @ @]/Rect[327.@ 627.8 479.6 
638.0]/Subtype/Link/Type/Annot>><</A<</S/URI/URI (mailto: craig@integyrs.com) >>/BS<</S/S/Type 
/Border/W @>>/Border[@ © @]/Rect[163.263 546.818 328.263 
557.818] /Subtype/Link/Type/Annot>><</A<</S/URI/URI( 
)>>/BS<</S/S/Type/Border/W @>>/Border[® @ @]/Rect[78.0 
387.0 338.8 398.0]/Subtype/Link/Type/Annot>><</A<</S/URI/URI( 
>>/BS<</S/S/Type/Border/W 9>>/Border[@ @ 
@]/Rect[78.@ 339.0 338.0 350.0]/Subtype/Link/Type/Annot>> 















72. Lalso analyzed the internal structure of the PDF file and identified within it the PDF 


object code shown in Figure 6. (Ex. 45.) The PDF object code defines several links to email 
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addresses and other URLs referenced in the body of the purported email. The PDF object code 
also defines links and email addresses not referenced in the visible text of the purported email 
associated with an email-based mailing list for the discussion of computer forensics (the “CCE2” 
list). Both Craig Wright and Dave Kleiman appear to have been members of the mailing list based 
on my review of email messages produced by the Defendant. 

73. [identified DEF 00014589 among documents produced by the Defendant, which 
is a native .msg file of an email sent to the same “CCE2” mailing list referenced in the PDF object 
code contained shown in Figure 6. Exhibit 46 shows the email headers contained in 
DEF _ 00014589, which indicate the email was sent by ea | to the CCE2 
mailing list, and was subsequently received by cic Cit at the exact same date and 
time as the alleged email in DEF 00027300, but with entirely different email text. 

74. Based on the above findings, it is my opinion that DEF_00027300 is a forgery made 
in April 2014 by creating a PDF of an email sent to a mailing list by Dave Kleiman in June 2011, 
and then modifying the PDF to make it appear as if it was an unrelated email exchange between 


Craig Wright and Dave Kleiman in 2011. 


L. DEF _00027303 
75. [reviewed DEF_00027303, which is a PDF file of a purported email from Dave 
Kleiman to Craig Wright on or about December 10, 2012 regarding the establishment of a “shelf 
company” called Design by Human. 
76. IT extracted and analyzed a PDF metadata object from DEF 00027303. (Exs. 47- 
48.) The metadata indicates the document was created on or about March 26, 2014 at 1:18 PM in 
a time zone associated with eastern Australia (UTC+11). It was modified approximately two 


minutes later. 
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ee The visible content of the purported email in DEF 00027303 contains a 
cryptographic signature allegedly created by Dave Kleiman. I analyzed the signature using GPG. 
(Ex. 49.) Based on the GPG output, I determined the signature was created on February 28, 2014 
at 5:49 AM UTC according to the computer on which it was created. 

78. 1 identified DEF 00068505 among documents produced by the Defendant, which 
is a native .msg email file representing an email sent from craig @ it to cig on 
or about February 28, 2014 at 5:15 AM UTC. (Ex. 50.) DEF 00068505 contains the same text as 
DEF _00027303, but with a different cryptographic signature allegedly created by Dave Kleiman. 

79.  Lanalyzed the signature in DEF 00068505 using GPG. (Ex. 51.) Based on the GPG 
output, I determined the signature was created on February 28, 2014 at 5:14 AM UTC according 
to the computer on which it was created—approximately one minute before DEF_ 00068505 was 
sent from the Defendant to himself and approximately 35 minutes before the signature in 
DEF _00027303 was created. 

80. Based on the above findings, it is my opinion that DEF_00027303 is a forgery made 
from an email sent from craic @ ii to cnig Git on or about February 28, 2014, 
creating a PDF of that email, and modifying the PDF to appear as if it represented an email sent 


by Dave Kleiman to Craig Wright. 


M. DEF_00027289 
81. I reviewed DEF 00027289, which is a PDF of a purported email from Dave 
Kleiman to Uyen Nguyen on or about October 13, 2012 at 10:16 AM in which Dave allegedly 
appoints Uyen as “COO” of a UK-based company identified by the number 08248988. I 
understand from DEF 00027303 that the numeric company identifier 08248988 corresponds to an 


alleged shelf company called Design by Human. 
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82. The subject of the email is “Nomination”. In the content of the purported email, 
Dave states that he has attached an appointment letter for Uyen to sign. The “Attachments” field 
of the purported email further references an attached file named “Untitled attachment 00958.txt.” 
I extracted the attached file from the PDF, the content of which is shown in Figure 7. The 
attachment refers to an email-based mailing list related to computer security and appears to be 


unrelated to the appointment of Uyen Nguyen as COO of Design by Human. 


FIGURE 7. Contents of “Untitled attachment 00958.txt” extracted from DEF 00027289. 








Yasml mailing list 
osm i 
https: //www.opensecnet.com/mailman/listinfo/yasml 


DO NOT SHARE ANYTHING ON THIS LIST UNLESS YOU GET PERMISSION FROM THE ORIGINAL SOURCE. WHEN 
SHARING DO NOT MENTION THIS LIST, YOU MAY MENTION THE ORIGINAL SOURCE IF THEY ALLOW IT. 





83. Ll extracted and analyzed the PDF metadata contained within DEF 00027289. (Ex. 


52.) The CreateDate field in the metadata object indicates that the PDF was created on or about 
October 13, 2012 at 1:22 PM in a time zone associated with eastern Australia (UTC+11) — 
approximately three hours after the purported email in DEF 00027289 was allegedly sent. The 
PDF was last modified on or about April 15, 2014 at 10:58 AM (UTC+10). 

84. Ll identified DEF 00014910 among documents produced by the Defendant, which 
is an email by Dave Kleiman to the same ysl Ci mailing list referenced in the 
attachment in Figure 7. The subject of the email is the subject “Member Nomination”. 


85. I extracted the email headers from DEF 00014910. (Ex. 53.) According to the 


email headers, the email was received by craig wich i on or about 
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October 12, 2012 at 4:16 PM (UTC-7) which is equivalent to 10:16 AM (UTC+11) — the exact 
same date and time shown in DEF 00027289. 

86. I analyzed the internal PDF file structure of DEF 00027289. Among the 
modifications made to the PDF, I identified the section of PDF object code in Exhibit 54 which 
indicates that the recipient of the email was changed to Uyen Nguyen, and that the original contents 
of the email itself had been removed and replaced with the text visible in DEF_00027289. 

87. Based on the above findings, it is my opinion that DEF_00027289 is a forgery made 
by creating a PDF of an email sent to a mailing list by Dave Kleiman in October 2012, and then 
modifying the PDF to make it appear as if it was an unrelated email sent by Dave Kleiman to Uyen 


Nguyen on the same date and time as the original email. 


N. DEFAUS_00521091 

88. [reviewed DEFAUS_00521091, which is a purported certificate of registration for 
Panopticrypt Pty Ltd issued by the Australian Securities and Investments Commission (“ASIC”) 
on June 20, 2011. 

89. | extracted and analyzed the PDF metadata contained within DEFAUS_00521091. 
(Ex. 55.) The metadata shows the PDF was created on or about April 17, 2013 at 7:13 AM—almost 
two years after the certificate was allegedly issued. The PDF metadata also indicated the document 
was later modified on or about October 23, 2014 at 7:39 AM on a computer with a time zone 
associated with eastern Australia (UTC+11). 

90. I identified DEF 00045255 among the documents produced by the Defendant, 
which is a similar certificate of registration of a company issued by ASIC to Coin-Exch Pty. Ltd. 


on or about April 17, 2013. I extracted and analyzed the PDF metadata contained within 
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DEF_00045255 and determined it had the exact same CreateDate as DEFAUS_ 00521091. (Ex. 
56.) 

91. I also analyzed the internal structure of DEFAUS_ 00521091. I identified PDF 
object code which indicated that the company name, company number, and issue date had been 
modified. (Ex. 57.) 

92. Based on the above findings, it is my opinion that DEFAUS_00521091 is a forgery 
created on or about October 23, 2014 by modifying a certificate of registration issued to Coin- 
Exch Pty Ltd in April 2013 to make it appear as if the certificate was issued to Panopticrypt Pty 


Ltd in June 2011. 


O. DEF_00029509 

93. I reviewed DEF 00029509, which is a PDF containing several purported email 
exchanges between the Defendant and ATO employees. The individual email exchanges within 
DEF _00029509 are labeled DM1 through DM7. Based on my review of the document, as well as 
other documents produced by the Defendant, the authenticity of some portions of the email 
exchanges appear to be disputed by the ATO. 

94. I identified DEF 00030109 among the documents produced by the Defendant, 
which is a .msg file containing a purported conversation between the Defendant and ATO 
employee Hao Khuu. The text of DEF_00030109 is the same as the email conversation containing 
DM1 and DM2 from DEF 00029509. I also identified DEF 00074274 among the documents 
produced by the Defendant, which appears to be a PDF of DEF 00030109. DEF 00074274 was 
named “Hoa Khuu emails altered 2.pdf’ when produced by the Defendant. 

95. [also identified DEF_00030131 among the documents produced by the Defendant, 


which is a .msg file containing a second purported conversation between the Defendant and Khuu. 
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The text of DEF_ 00030101 is the same as the email conversation containing DM3 and DM4 from 
DEF _ 00029509. I also identified DEF 000167853 among the documents produced by the 
Defendant, which appears to be a PDF of DEF 00030131. DEF 000167853 was named “Hoa 
Khuu emails altered.pdf’ when produced by the Defendant. 

96. [also identified DEF_00046674 among the documents produced by the Defendant, 
which is a .msg file containing a third purported conversation between the Defendant and Khuu. I 
also identified DEF 00074276 among the documents produced by the Defendant, which appears 
to be a PDF of DEF 00046674. DEF 00074276 was named “Hoa Khuu emails from ATO 
unaltered.pdf’ when produced by the Defendant. The text of DEF 00046674 is substantially 
different from DM1, DM2, DM3, and DM4. 

97. I extracted the email headers from DEF 00046674, DEF 00030131, 
DEF _ 00030109. (Exs. 58 - 60.) Each email header includes a “DKIM-Signature” field, which is a 
unique cryptographic signature computed by the sender’s email server over several fields of the 
email, such as the subject, date, and, in this case, email content. The DKIM-Signature field is 
identical for all three emails, including timestamp and hash of the message contents, despite having 
different timestamps and contents. 

98. [also identified DEF_00030136 among the documents produced by the Defendant, 
which is a .msg file containing a purported email from ATO employee Brigid Kinloch to the 
Defendant and John Chesher. The text of DEF 00030136 is the same as DMS from 
DEF _ 00029509. I also identified DEF 00074267 among the documents produced by the 
Defendant, which appears to be a PDF of DEF 00030136 with certain text highlighted. 


DEF_00074267 was named “Birgid Kinloch email altered.pdf’ when produced by the Defendant. 
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99. I extracted the email headers from DEF 00030136. (Ex. 61.) The email headers 
include two “Content-Type” headers, which is used to instruct an email client how to interpret the 
contents of the email. One Content-Type header contains a timestamp corresponding to 4:33:27 
AM on Friday, November 1, 2013 (UTC). The “Date” field in the email header field, on the other 
hand, indicates the email was sent at 5:03:12 AM on Friday, November 1, 2013 (UTC). 

100. Tidentified DEFAUS 00654293 among the documents produced by the Defendant, 
which contains an email sent from Brigid Kinloch to the Defendant and John Chesher. The text of 
the email is similar to DM5, but certain parts of the two messages differ. I extracted the email 
headers from DEFAUS_00654293. (Ex. 62.) The headers indicate the email was sent at 4:33:27 
AM on Friday, November 1, 2013 (UTC) — the exact same time as the Content-Type header in 
DEF _00030136. 

101.  Talso identified DEF 00074272 among the documents produced by the Defendant, 
which is a PDF containing an email exchange between the Defendant and Brigid Kinloch. The 
first email chronologically in the exchange is identical to the text of DEFAUS_ 00654293. 
DEF _ 0007472 was named “Birgid Kinloch email from ATO unaltered.pdf” when produced by the 
Defendant. 

102. Talso identified DEF 00030137 among the documents produced by the Defendant, 
which contains an email sent from ATO employee Celeste Salem to the Defendant. The text of 
DEF _ 00030137 is the same as DM6 from DEF _ 00029509. I extracted the email headers from 
DEF _00030137. (Ex. 63.) The “Date” field in DEF 00030137 purports that the email was sent on 
or about July 15, 2013 at 4:52:43 PM (UTC+11). Conflictingly, the “X-OriginalArrivalTime” and 
multiple “Received” header fields indicate the email was sent on or about July 15, 2014— 


approximately one year after the purported date of the email. Additionally, the final email server 
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in the email’s path references Microsoft SMTP Server 14.3.158.1, which is a version of the 
Microsoft Exchange email server software which was not released until August 8, 2013. (Ex. 64.) 

103. Talso identified DEF 00023312 among the documents produced by the Defendant, 
which contains an email purportedly sent from the Defendant to ATO employee Shalyce Dempster 
on or about July 18, 2013. The text and image within DEF 00023312 are identical to DM7 from 
DEF _ 00029509. I also identified DEF 00035418, which is a PDF of an email sent by Defendant 
to ATO employee Michael Hardy and Jamie Wilson on or about September 12, 2013. The email 
includes the July 18 email allegedly sent to Shalyce Dempster and has the same timestamp; 
however, the text of the July 18 email is different from that of DEF_00023312. 

104. Based on the above findings, it is my opinion that DEF_ 00029509 contains multiple 
forged emails that were created by modifying the contents of legitimate emails from ATO 


employees. 


VI. RESERVATION OF RIGHTS 

105. IT reserve all rights to modify or supplement this Report if I become aware of any 
errors or misstatements, or if I become aware of other data or other evidence relevant to my 
position. I also reserve all rights to respond to any statements made by the Defendant or his 
witnesses or expert witnesses to which a response is appropriate. 

106. I understand that several depositions remain to be taken in this matter. I may also 
modify or supplement my opinions in view of opinions or arguments made by any person, 
including Defendant’s counsel and anyone engaged by Defendant to provide opinions. I may also 
modify or supplement my opinions if the Court provides litigants with any pertinent additional 


rulings. 
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107. I may expand or modify my opinions as my investigation and study continues and 
supplement my opinions in light of any relevant orders from the Court or in response to any 
additional information I review, and matters the Defendant raises, or any opinions Defendant’s 
experts may provide. 

108. I may prepare and use graphics, images, photographs, video recordings, test data, 
animations, and other presentation aids to help me explain my opinions. I may also use images, 
photographs, graphics, animations, and other presentation aids prepared by other witnesses to help 


me explain my opinions. 


I declare under penalty of perjury that the foregoing Report is true and accurate. 


Dated: December 13, 2019 


LO] fe 
Dr. Matthew J. Edman 
Lana‘i, HI 
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UNITED STATES DISTRICT COURT 
SOUTHERN DISTRICT OF FLORIDA 


IRA KLEIMAN, as the personalrepresentative | CASE NO.: 9:18-cv-80176-BB 
of the Estate of David Kleiman, and W&K Info 


Defense Research, LLC, CONTAINS CONFIDENTIAL 
INFORMATION SUBJECT TO 
Plaintiffs, PROTECTIVE ORDER 


V. 


CRAIG WRIGHT, 





Defendant. 


SUPPLEMENTAL EXERT REPORT OF DR. MATTHEW J. EDMAN 
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I submit this Supplemental Report in the above-captioned action on behalf Ira Kleiman, as 
the personal representative of the Estate of David Kleiman, and W&K Info Defense Research, 
LLC (collectively, “Plaintiffs’’). 


I. DEF_00247440 


1. In my previous expert report, I analyzed several documents which contain 
Bitmessages purportedly sent from, or to, Dave Kleiman. As described in my report, Bitmessage 
is a decentralized and encrypted communications protocol that can be used by one person to send 
encrypted messages to another person. 

a Since the submission of my previous report, I have analyzed additional documents 
to supplement my previous analysis. Specifically, I identified DEF_00247440 which is a 
“keys.dat” file produced by the Defendant. The keys.dat file is associated with Bitmessage and 
contains Bitmessage application configuration settings, as well as private encryption keys 
associated with Bitmessage addresses. (Ex. 1-2.) The Bitmessage Wiki! notes that the keys.dat file 
“contains sensitive data that can be abused to impersonate others.” 

3: I reviewed the contents of DEF_00247440 and identified multiple Bitmessage 
“address blocks” containing private keys for Bitmessage addresses that documents produced by 
the Defendant purportedly associate with Dave Kleiman and others. I used the Bitmessage 
software available on its Github page to verify that the private key information contained within 


DEF_00247440 corresponds to the relevant Bitmessage addresses contained therein. 





' A wiki is a web site on which users collaborate to create and maintain content. Bitmessage uses 
a wiki to provide information on the program, as well as information regarding its operation and 
communications protocol. 
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4. Thus, the Defendant had the means to send Bitmessages from the addresses listed 
in DEF_00247440 and, therefore, Bitmessages sent from these addresses could have been sent by 
the Defendant. 


Il. KLEIMAN_00278248 
>. I reviewed KLEIMAN_00278248. This appears to be an email from the Defendant 


to himself that contains a message purportedly from, and purportedly cryptographically signed by, 
Dave Kleiman which the Defendant then forwarded to Ira Kleiman on or about February 24, 2014 
at 5:56 AM UTC. 

6. I also reviewed DEF_00068503, which appears to be a draft of the email above that 
contains a different cryptographic signature, also purportedly belonging to Dave Kleiman. I 
analyzed the signature in DEF_00068503 using GPG. (Ex. 3.) Based on the GPG output, I 
determined the signature was created on or about February 28, 2014 at 4:56 AM UTC according 
to the computer on which it was created. 

de In my previous report, [reviewed DEF_00068505 which I stated “contains the same 
text” as DEF_00027303 but with a different cryptographic signature. On further review, I 
identified minor changes in the text between the two documents resulting in the different 
cryptographic signature. DEF_00068505 also contains slight modifications to the text in 
DEF_00068503. As described in my previous report ({] 78), the cryptographic signature in 
DEF_00068505 was created on or about February 28, 2014 at 5:15 AM UTC. 

8. I also analyzed the cryptographic signature in KLEIMAN_00278248 (Ex. 4.), the 
text of which contains further modifications to the text in DEF 00068505. Based on the GPG 
output, I determined the signature in KLEIMAN_00278248 was created on February 28, 2014 at 
5:49 AM UTC according to the computer on which it was created—approximately seven minutes 


before KLEIMAN_00278248 was sent from the Defendant to Ira Kleiman. Additional documents 
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containing this exact signature from KLEIMAN_00278248 include DEFHC_01518698, 
DEFHC_01518683, DEF_00000103, and DEF_00027303. 
9. Based on the above findings, it is my opinion that the signed message included in 


KLEIMAN_00278248 is a forgery. 


Dated: January 13, 2020 


Mor 


Dr. Matthew J. Edman 
Miami, FL 
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UNITED STATES DISTRICT COURT 
SOUTHERN DISTRICT OF FLORIDA 


IRA KLEIMAN, as the personal representative § CASE NO.: 9:18-cv-80176-BB 
of the Estate of David Kleiman, and W&K Info 


Defense Research, LLC, CONTAINS CONFIDENTIAL 
INFORMATION SUBJECT TO 
Plaintiffs, PROTECTIVE ORDER 
v. 
CRAIG WRIGHT, 


Defendant. 


SECOND SUPPLEMENTAL 
EXPERT REPORT OF DR. MATTHEW J. EDMAN 
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I submit this Second Supplemental Report in the above-captioned action on behalf Ira 
Kleiman, as the personal representative of the Estate of David Kleiman, and W&K Info Defense 
Research, LLC (collectively, “Plaintiffs”’). 


I. DEF_00051010 


1. I reviewed DEF 00051010, which is a PDF that appears to be a scan of a printout 
of an alleged invoice from HighSecured.com dated March 10, 2014. The invoice purports to show 
payment for an “IaaS' agreement.” I understand the Defendant has previously sworn to the 
authenticity of this document. (Craig Wright Decl. (May 13, 2019), attached as Exhibit 1.) 

2. I identified DEF_01600685 which is a PDF that is visually identical to the scanned 
invoice in DEF 00051010. I extracted and analyzed metadata associated with DEF 01600685. 
(Exs. 2-5.) The metadata indicates DEF 01600685 was initially created on or about August 22, 
2014 and later modified on or about September 9, 2014 on a computer whose time zone is 
consistent with eastern Australia (UTC+10). The metadata also indicates the title of the document 
is “InvoiceSale (4Cabling).” 

a; I also identified DEF 01600654, which is a PDF of an invoice from a company 


called 4Cabling for the purchase of extension cords. The invoice was attached to an email in 


'“TaaS” often refers to “Infrastructure as a Service,” which describes a service provider that hosts 
physical computing resources (e.g. computer servers, storage, and networking devices), and 
provides access to those resources via a remote interface (e.g. a website or an application 
programming interface or “API”). Microsoft Azure and Amazon Web Services are examples of 
IaaS providers. 

2 PDF documents can include internal metadata in an older format known as a “document 
information dictionary” and/or in a newer XML-based format called the “Extensible Metadata 
Platform” (“XMP”). XMP metadata typically contains at least the same information as the 
document information dictionary and may include additional detail or other metadata fields. In my 
experience, many PDF documents (including DEF_01600685) include both types of metadata for 
compatibility with older PDF reader software. While DEF 01600654 includes only the older 
document information dictionary metadata, I have included both types of metadata from 
DEF _01600685 for comparison. 
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DEF_01600652, which contains an order confirmation from 4Cabling sent to Craig Wright on or 
about August 22, 2014. I extracted and analyzed the metadata associated with DEF_01600654. 
(Ex. 6.) I determined the metadata in Exhibit 6 contains hexadecimal-encoded values, which I 
decoded? and have attached at Exhibit 7. The decoded values in the metadata indicates 
DEF _01600654 was created at the exact same time and contains the exact same title (“InvoiceSale 
(4Cabling)”), creator tool (“Jim2 Business Engine”), and producer (“ReportBuilder”) as the 
purported HighSecured.com invoice in DEF_01600685. 

4. I also analyzed the internal structure of DEF 01600685. I determined that 
DEF_01600685 and DEF_01600654 contain the same PDF file identifiers. (Exs. 8-10 and Ex. 11, 
respectively.) A PDF file identifier is like a DocumentID in that it contains a unique value which 
can be used to associate multiple versions of the same document. In other words, the file identifiers 
in DEF_01600685 and DEF _ 01600654 indicate they are two versions of the same document. 

2 I also identified numerous TouchUp_ TextEdit marked content points in 
DEF 01600685 that indicate the PDF had been modified. (Ex. 12.*) I have attached a 
demonstrative that highlights the portions of text in DEF 01600685 that appear to have been 
modified based on my review. (Ex. 13.) 

6. Accordingly, it is my opinion that DEF 00051010 does not represent an authentic 


invoice from HighSecured.com, but instead has been manipulated. 


> There are myriad ways to decode hexadecimal-encoded values. In this instance, I simply used 
Python to automate the process. For example, the Python command 
"5265706£72744275696c646572" .decode("hex") produces the string “ReportBuilder” 

* The relevant PDF object streams in this document and other PDF documents described in this 
report were decoded using PDFStreamDumper v0.9.627 unless otherwise noted. 
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I. DEF_01369890 

ee I reviewed DEF 01369890, which is a PDF document purporting to show the 
appointment of David Kleiman as a director of COIN LTD on or about October 14, 2012. 

8. I extracted and analyzed the metadata from DEF_01369890. (Ex. 14.) The metadata 
indicates the document was created on or about April 15, 2014 in a time zone consistent with 
eastern Australia (UTC+10). 

9. I also analyzed the internal structure of DEF_01369890. I identified a 
TouchUp_ TextEdit marker indicating the text within the document had been modified. (Ex. 15.) 
Specifically, the internal structure of the document indicates a portion of the text had been modified 
to “Accepted.” I attach at Exhibit 16 a demonstrative highlighting the modified text in red. I also 
identified within DEF_ 01369890 a PDF object that demonstrates the unmodified text of the 
document. (Ex. 17.) The unmodified text indicates the appointment of Kleiman as a director of 
CO1N LTD was submitted on or about April 13, 2014—approximately a year after David Kleiman 
died. 

10. Accordingly, it is my opinion that DEF 01369890 is not an authentic document, 
but instead has been manipulated. 

Il. DEF_01369891 

11. I reviewed DEF 01369891, which is a PDF document purporting to show the 
termination of David Kleiman as a director of COIN LTD on or about April 26, 2013. 

12. I extracted and analyzed the metadata from DEF 01369891. (Ex. 18.) The metadata 
indicates the document was created on or about April 15, 2014 in a time zone consistent with 


eastern Australia (UTC+10). 
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13. I also analyzed the internal structure of DEF _01369891. I identified a 
TouchUp_ TextEdit marker indicating the text within the document had been modified. (Ex. 19.) 
Specifically, the internal structure of the document indicates a portion of the text had been modified 
to “Accepted.” I attach at Exhibit 20 a demonstrative highlighting the modified text in red. I also 
identified within DEF 01369891 a PDF object that contains the unmodified text of the document. 
(Ex. 21.) The unmodified text indicates the termination of Kleiman as a director of COIN LTD 
was submitted on or about April 15, 2014. 

14. Accordingly, it is my opinion that DEF_01369891 is not an authentic document, 
but instead has been manipulated. 

IV. DEFAUS_00708272 

15. [reviewed DEFAUS_00708272, which is a PDF document purporting to show a 
change in company details associated with COIN PTY LTD submitted to the Australian Securities 
& Investments Commission (“ASIC”) on or about April 22, 2013. 

16. I extracted and analyzed the metadata from DEFAUS 00708272. (Ex. 22.) The 
metadata indicates the document was created on or about April 22, 2014, and later modified on or 
about August 6, 2014, in a time zone consistent with eastern Australia (UTC+10). 

17. I also analyzed the internal structure of DEFAUS_ 00708272. I identified multiple 
TouchUp_ TextEdit markers indicating the text within the document had been modified. (Exs. 23- 
24.) Specifically, the document had been modified to appear as if it had been submitted and signed 
on April 22, 2013. I attach at Exhibit 25 a demonstrative highlighting the modified text in red. I 
also identified PDF objects within DEFAUS_ 00708272 that contain the unmodified text of the 
document. (Exs. 26-27.) The unmodified text indicates the change to company details was 


submitted to ASIC on or about April 22, 2014. 
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18. Accordingly, it is my opinion that DEFAUS_00708272 is not an authentic 

document, but instead has been manipulated. 
V. DEFAUS_00519695 

19. I reviewed DEFAUS_00519695, which is a PDF of a purported invoice from 
“Abacus (Seychelles) Limited” for “Company management and nominee services” dated October 
17, 2014. The “Company Details” of the purported invoice references “Wright International 
Investments Ltd.” 

20. ‘I extracted and analyzed the metadata from DEFAUS_ 00519695. (Ex. 28.) The 
metadata indicates the PDF was created on or about October 17, 2014 (UTC+4). The metadata 
also indicates the PDF was later modified on or about October 18, 2014 in a time zone consistent 
with eastern Australia (UTC+11). 

21. [also analyzed the internal structure of DEFAUS 00519695. I identified multiple 
TouchUp_ TextEdit markers indicating the text within the document had been modified. (Ex. 29.°) 
I also identified a PDF object within DEFAUS_ 00519695 that appears to contain the unmodified 
text of the document. (Ex. 30.) The unmodified text indicates the invoice was originally for 
“Purchase of 2009 shelf company” which was later modified to “Company management and 
nominee services.” I have attached at Exhibit 31 a demonstrative highlighting the modified text in 
red. 

22. Accordingly, it is my opinion that DEFAUS 00519695 is not an authentic 


document, but instead has been manipulated. 


> Extracted using pdf-parser.py v0.7.4 (Python 2.7.16). 
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VI. DEFAUS_ 00519698 

23. I reviewed DEFAUS_ 00519698, which is a PDF of a purported invoice from 
“Abacus (Seychelles) Limited” for “Management and trust accounting Seychelles company” dated 
October 17, 2014. The “Company Details” of the purported invoice references “Tulip Trading 
Limited.” 

24. I extracted and analyzed the metadata from DEFAUS_00519698. (Exs. 32-33.) The 
metadata indicates the PDF was created on or about October 17, 2014 (UTC+4). The metadata 
also indicates the PDF was later modified on or about October 18, 2014 in a time zone consistent 
with eastern Australia (UTC+11). 

25. I also analyzed the internal structure of DEFAUS_00519698. I identified a 
TouchUp_ TextEdit marker indicating the text within the document had been modified. (Ex. 34.°) 
I also identified a PDF object within DEFAUS_ 00519698 that appears to contain the unmodified 
text of the document. (Ex. 35.) The unmodified text indicates the invoice was originally for 
“Purchase of Seychelles 2011 shelf company” which was later modified to “Management and trust 
accounting Seychelles company.” I have attached at Exhibit 36 a demonstrative highlighting the 
modified text in red. 

26. I identified DEFAUS_ 00519687, which is a PDF of an invoice from “Abacus 
(Seychelles) Limited.”, DEFAUS_ 00519687 was attached to the email in DEF 00046662 sent 
from ni i . craig. wright on or about October 17, 2014. 
The file attachment was named “Invoice_Tulip.pdf.” 

21. I extracted and analyzed the metadata from DEFAUS 00519687. (Ex. 37.) The 


metadata indicates DEFAUS 00519687 has the exact same creation date and time as 


° Extracted using the same technique as in Footnote 5. 
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DEFAUS_00519698. I also extracted the file identifiers from DEFAUS_ 00519698 and 
DEFAUS_00519687. (Exs. 38 and 39, respectively.) The file identifiers indicate 
DEFAUS_00519698 and DEFAUS 00519687 are two versions of the same document. 

28. Accordingly, it is my opinion that DEFAUS_00519698 is not an authentic 
document, but instead has been manipulated. 


Vil. DEFAUS_01746855 
29. I reviewed DEFAUS_ 01746855, which is a .msg file representing an email 


purportedly sent from “Satoshi Nakamoto <satoshi@vistomail.com>” to "Sommer, Andrew’ 
<asommer@ on or about January 9, 2014. “John  Chesher 
<john.chesher@hotwirepe.com>" and “Ramona Watts <ramona.watts@ are also 
carbon copied (or “CC’ed”) on the email. 

30. I extracted and analyzed the mail transport headers contained in 
DEFAUS_ 01746855. (Ex. 40.’) The “From:” header field in the email contains the value “Satoshi 
Nakamoto <satoshi@vistomail.com>" which is what would typically be visible as the sender’s 
name and email address to the recipient by their email client software. The value contained in the 
“From:” header, however, can be manipulated by the sender of the email to make it appear as if 
the email originated from a different address. In my experience, manipulating or “spoofing” the 
“From:” header in an email is a common technique used by spammers, phishers, and other 
malicious actors to make a forged email appear to be legitimate. 

cae In order to limit abuse of forged sender email addresses, the recipient’s email server 


can use a number of defenses, including querying the sender’s Sender Policy Framework? (“SPF”) 


TT extracted the mail transport headers using Microsoft Outlook 2016 and OutlookSpy 4.1.0.3915. 
8 “Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1”, 
https://tools.ietf.org/html/rfc7208 
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records. SPF enables the owner of a domain name (e.g. “vistomail.com”) to define via public DNS” 
records the IP address or addresses of email servers allowed to originate email for that domain. 
Upon receiving an email, the recipient’s email server can then query the public SPF records 
associated with the sender’s domain and verify that the IP address of the sender’s email server is 
permitted to send email for that domain. 

32.  Lanalyzed the series of “Received:” headers contained within DEFAUS_01746855, 
which are added by the email servers which relay the email from the sender to the recipient. Each 
email server that processes and relays the email message adds a “Received:” header on top of the 
previous server’s “Received:” header, and so they are read chronologically from bottom to top. 
The “Received:” header on lines 22-25 of Exhibit 40 indicates the email was sent using the email 
server “cp-34.webhostbox.net” by a user identified as “cwright” from the IP address 14.1.17.85. 
The “Received:” header on lines 15-18 of Exhibit 40 indicates that the email server “cp- 
34.webhostbox.net” was associated with the IP address 199.79.62.121 at the time the email was 
sent. 

33. I reviewed the historical SPF records for vistomail.com. (Ex. 41.!°) At the time 
DEFAUS _ 01746855 was sent, the following IP addresses were permitted to originate email from 
vistomail.com addresses: 190.123.200.34, 190.123.200.36, and 190.123.200.37. The IP address 
associated with the email server “cp-34.webhostbox.net” (199.79.62.121) was not permitted to 


send email from vistomail.com email addresses. 


° The Domain Name System (“DNS”) is a system for mapping domain names (e.g. google.com) 
to an IP address (e.g. 172.217.11.14). It can also be used to associate other information with a 
domain name, such as the email servers used to receive mail for the domain. 

'0 SecurityTrails is a publicly available service which provides, among other things, access to 
archived DNS records. It is a service that I have relied upon before and, in my professional 
experience, is a reliable source of information. 
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34. | identified DEFAUS_00624435, which is a second email purportedly sent from 
satoshi@vistomail.com to ut. non or about January 27, 2014. I extracted and 
analyzed the mail transport headers contained in DEFAUS_ 00624435. (Ex. 42.) The “Received:” 
header on lines 19-23 of Exhibit 42 indicates the email was sent using the same email server as 
DEFAUS_01746855 (“cp-34.webhostbox.net”) by the same user (“cwright”) and from the same 
IP address (14.1.17.85). The “Received:” header on lines 7-11 of Exhibit 42 indicates the email 
was relayed from “cp-34.webhostbox.net” to an email server associated with Google 
(“mx.google.com’”). “cp-34.webhostbox.net” was again associated with the IP address 
199.79.62.121 at the time the email was sent. The “Received-SPF:” header on line 12 of Exhibit 
42 indicates that Google’s email server queried the SPF records associated with “vistomail.com” 
and determined that 199.79.62.121 was not a permitted sender for satoshi@vistomail.com, which 
is consistent with the historical SPF records shown in Exhibit 41. 

35. Accordingly, it is my opinion that DEFAUS_01746855 is not an authentic email 
from satoshi@vistomail.com, but instead has been manipulated. 

VIII. WAT00000001 

36. I reviewed WAT00000001, which is a .msg file of an email purportedly sent from 
"Ramona Watts <rmon@ fin to ric or about May 28, 2012. (Ex. 
123.) 

31. I extracted and analyzed the email headers contained within WAT00000001. (Ex. 
42.) The “Content-Type:” header includes a “boundary” parameter (Ex. 43, Lines 9-10), which is 
used to delimit portions of an email message (e.g. an HTML-encoded message, a plaintext 
message, and/or file attachments). The boundary parameter can contain an arbitrary value, but 


many email clients include the timestamp as part of the boundary parameter. The “Content-Type:” 
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boundary value in WAT00000001 contains the timestamp “01D5B69B.712E1810"!! which 
corresponds to a human-readable timestamp of December 19, 2019 at 6:38:01 PM (UTC). 

38. I also extracted and analyzed the email content (or “body”) of WAT00000001. The 
email contains both a plaintext body (Ex. 44) and HTML body (Ex. 45).!2 The HTML body 
indicates it was created or edited with “Microsoft Word 15” (Ex. 45, Line 1), which corresponds 
to Microsoft Word 2013. Microsoft Word 2013 was released to the general public as part of Office 
2013 in or about early 2013. (Exs. 46-48.) The HTML body also includes a reference to an attached 
file “filelist.xml” with an associated FILETIME of “01D5B69B.61B47460,” which corresponds 
to a human-readable timestamp of December 19, 2019 at 6:37:35 PM (UTC). 

39. Accordingly, it is my opinion that WAT00000001 is not an authentic email, but 
instead has been manipulated. 

IX. DEF_01596539 

40. [reviewed DEF_01596539, which is a PDF of a webpage purportedly showing the 
contents of a “Client Area” associated with a HighSecured.com customer account. The PDF 
purports to have been created on or about October 15, 2014. 

41. I extracted and analyzed metadata contained in DEF 01596539. (Ex. 49.) The 
metadata indicates DEF 01596539 was created on or about October 15, 2014 at 10:02:15 AM in 


a time zone consistent with eastern Australia (UTC+11). 


"| The timestamp is formatted as a Microsoft “FILETIME” structure, which is a 64-bit value that 
represents the number of 100-nanosecond intervals that have elapsed since January 1, 1602 UTC. 
'2 Many email clients include both a plaintext body and an HTML body. While HTML-formatted 
emails can contain more elaborate content and formatting (e.g. fonts, tables, hyperlinks, etc.), not 
all email reader software support HTML-formatted emails. Instead, such software can simply 
display the plaintext email body which contains just the content without additional formatting 
instructions. 
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42. I analyzed the internal structure of DEF 01596539. I identified multiple 
TouchUp_ TextEdit markers indicating the text within the document had been modified. (Exs. 50- 
51.) In particular, the document title in the header of each page appears to have been modified to 
“Client Area — High Secured.” The URL in the footer of the first page appears to have been 
modified to reference the URL “https://support.highsecurted.com/clientarea.php.” The URL in 
the footer of the second page appears to have been modified to reference the URL 
“https://support.highsecured.com/clientarea.php.” Additionally, I identified numerous hyperlinks 
within the document that reference the domain “demo.whmcs.com.” (Exs. 52-53.) I attach at 
Exhibit 54 a capture of demo.whmcs.com as of October 22, 2014.'3 

43. I also identified DEFAUS_01757607, which is also a PDF of a webpage 
purportedly showing the contents of a “Client Area” associated with a HighSecured.com customer 
account. DEFAUS_01757607 is visually similar to DEF 01596539, but large portions of the 
content have been removed. I extracted and analyzed metadata from DEFAUS_01757607. (Ex. 
56.) The metadata indicates DEFAUS_ 01757607 was created on or about October 15, 2014 at 
10:02:15 AM (UTC+11) —the exact same time as DEF 01596539. The metadata further indicates 
the document was modified approximately 13 minutes later at 10:15:49 AM in a time zone 
consistent with eastern Australia (UTC+11). DEFAUS 01757607 contains the exact same 
DocumentID as DEF_ 01596539, which indicates they are two versions of the same document. 

44. Accordingly, it is my opinion that DEF_ 01596539 and DEFAUS_ 01757607 are not 


authentic documents, but instead have been manipulated. 


'3 The client area of demo.whmcs.com required a login, which was publicly available. (Ex. 55.) 
The archived content of demo.whmcs.com, however, only includes the pre-login content. 
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X. RITZELA@HIGHSECURED.NET 


45. I reviewed multiple emails purportedly sent by “Ritzela De Gracia 

<i between April and June 2015. 
A. DEF_01616105 

46. | reviewed DEF_01616105, which is a purported email sent on or about April 28, 
2015 from “Ritzela De Gracia <ritzela@highsecured.net>” to “Andrew Sommer 
<asommer@ “Heydon Miller nico and Ramona 
Watts. Craig S Wright is CC’ed on the email.'4 

47. I extracted and analyzed the mail transport headers contained in DEF_01616105. 
(Ex. 57.) The email’s “From:” header indicates the email was purportedly sent from an email 
address using the domain HighSecured.net, rather than HighSecured.com.’* I reviewed historical 
domain registration records (or “WHOIS” information) for HighSecured.net.!® Based on my 


review, I determined the following: 








Date Description 
May 27, 1999 HighSecured.net is registered to Tangerine International, Inc. (Ex. 59.) 
May 27, 2001 HighSecured.net expires. (Ex. 59.) 


February 13, 2007 | HighSecured.net is re-registered to “Stuart Greatbanks 
(info@ ED 0f Spirit Island, S.A. (Ex. 60.) 














'4 The native email file appears to contain incorrectly formatted email addresses for Ramona Watts 
and Craig Wright and so it is not clear exactly to which addresses associated with Watts and Wright 
the email was intended to be sent. (Ex. 57, Lines 20 and 44). 

'S See, for example, DEF_00051010 and DEF_0051013, which only contain highsecured.com and 
which the Defendant has sworn are authentic. See also High Secured’s “Contact Us” page as 
archived on May 3, 2015 which also only contain <a | email addresses. (Ex. 58.) 
'6 All records were obtained via DomainTools (www.domaintools.com). 
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January 17, 2008 The registration information is updated to list “Ritzela De Gracia 
(info@ of Secure Registrations Ltd. as the 
registrant, technical, and administrative contact. (Ex. 61.) 





February 14, 2013 | HighSecured.net expires. (Ex. 62.) 





April 27, 2015 HighSecured.net is re-registered. The registrant name is listed as 
“ANONYMOUSSPEECH ANONYMOUSSPEECH” and the registrant 
email address is contact@ The registration 
information does not reference High Secured or Ritzela De Gracia. (Ex. 














63.) 
April 27, 2015 - | The registrant name is changed to “HIGHSECURED HIGHSECURED” 
June 4, 2015 and the registrant email address is changed to 

ritzeladegracia@ Ex. 64.) 
April 27, 2016 HighSecured.net expires. (Ex. 65.) 











48. Exhibits 66 and 67 show the WHOIS information for HighSecured.com before and 
after (respectively) the time HighSecured.net was re-registered to “Stuart Greatbanks 
(infoWhighsecured.com)” in February 2007. The WHOIS information associated with 
HighSecured.com is consistent with that of HighSecured.net in Exhibit 60. 

49. Exhibits 68 and 69 show the WHOIS information for HighSecured.com before and 
after (respectively) the time HighSecured.net expired in February 2013. The WHOIS information 
associated with HighSecured.com is consistent with that of HighSecured.net in Exhibits 61 and 
62. 

50, Exhibits 70 and 71 show the WHOIS information for HighSecured.com before and 
after (respectively) the time HighSecured.net was re-registered via AnonymousSpeech.com on 
April 27, 2015. The WHOIS information associated with HighSecured.com is not consistent with 


that of HighSecured.net in Exhibits 59, 60, 61, 62, 63, 64, or 65. 
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51. The “Date:” header in DEF_01616105 indicates the email was sent on or about 
April 28, 2015 at 1:02:40 AM (UTC+1)—approximately seven hours after HighSecured.net was 
re-registered using WHOIS information inconsistent with its prior registrant after being inactive 
for over two years. (Ex. 57, Line 2.) 

32. The “Received:” headers in DEF_01616105 indicate the email was sent from 
ritzela@highsecured.net using the email server “us2.outbound.mailhostbox.com.” (Ex. 57, Line 
7.) [reviewed public DNS records for HighSecured.net and verified that its MX!” records indicate 
it was configured to use email servers operated by mailhostbox.com between April 28, 2015 and 
May 18, 2016. (Ex. 72.) 

53. I previously analyzed DEF 00013459 which I determined to be a forgery based on 
an email sent from i to rig IE 72, Section V.A.) 
The mail transport headers contained within the metadata in DEF_00013459 show that email was 
also sent using an outbound.mailhostbox.com server as in DEF 01616105. I reviewed archived 
DNS records for panopticrypt.com and confirmed that the domain was configured to use email 
servers associated with mailhostbox.com at the times DEF 00013459 and DEF 01616105 were 
sent. (Ex. 74.) 

54. I also identified DEF 00807313, which is an email sent from “Craig S Wright 


<craig wright @ i on or about May 3, 2012 using the exact same email 


server domain and IP address as in DEF 01616105. (Ex. 75.) I reviewed archived DNS records 


'7 A domain’s mail exchanger (or “MX”) record specifies the email servers responsible for 
receiving incoming mail. It does not necessarily specify the server used for outgoing email, but, in 
my experience, both incoming and outgoing email servers are typically hosted and/or operated by 
the same organization (e.g. mailhostbox.com). 
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for information-defense.com and confirmed that the domain was configured to use email servers 
associated with mailhostbox.com at the time DEF 00807313 was sent. (Ex. 76.) 

a0. The content of DEF 01616105 includes a PGP public key purportedly associated 
with Ritzela De Gracia.'® (Ex. 77.) I used GPG to extract metadata from the public key in 
DEF _ 01616105. (Ex. 78.) The metadata indicates the public key has the identifier 
“F1022CEBOBA110B2” (or “OBA110B2” in short form) and was purportedly created on or about 
June 27, 2010 according to the computer on which it was created. 

B. DEF_01591420 


56. I also reviewed DEF_01591420, which is an email purportedly from “Ritzela De 


Gracia <ritvel@i to “Craig S Wright <rig wich @ i 
“Ramona Watts <ramona.watts@)qAiiiii “Heydon Miller 
<hdmiller@ ', and “Andrew Sommer <asommer (ia sent on or 


about April 28, 2015 at 1:10:23 AM UTC. (Ex. 79.) 





Si: The content of DEF 01591420 contains a PGP-signed message alleging that the 
“Bit-message (sic)” address “BM-2cWjjZt7JKvnszN458cEiPi6XdkFrNL7E3” is “associated with 
HighSecure. (sic)” I used GnuPG to verify the signature in DEF 01591420. The GPG output 
indicates the signature was created on or about April 28, 2014 at 1:09:14 AM UTC using the PGP 


key referenced in DEF 01616105 purportedly associated with “Ritzela De Gracia 


«ive (Ex. 80.) 


'8 The content of the email also includes a link to the same public key on pgp.mit.edu, which is a 
public “keyserver” used for distributing PGP public keys. However, pgp.mit.edu, like other public 
keyservers, does not perform any identity verification to ensure the uploaded public key belongs 
to the user identified in the public key itself. Thus, it is possible for anyone to upload a public key 
purportedly belonging to anyone else. 
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58. I previously reviewed DEF 00247440, which is a Bitmessage “keys.dat” file 
produced by the Defendant. (Ex. 81.) DEF 00247440 contains a Bitmessage address block 
corresponding to the Bitmessage address in DEF_01591420. 

59. Thus, the Defendant had the means to send Bitmessages from the address listed in 
DEF_01591420 and, therefore, Bitmessages sent from that address could have been sent by the 
Defendant. 

C. DEF_01587951 


60. I also reviewed DEF_01587951, which is an email purportedly from “Ritzela De 


Gracia <i ie to “Craig S Wright <craig. wright Gian sent on 
or about May 6, 2015 at 12:41:08 AM UTC. “Ramona Watts <ramona. wats 
“Heydon Miller <hdmitle i and “Sommer, Andrew 
<asommer (in are CC’ed on the email. (Ex. 82.) 


61. | DEF_01587951 contains an attached file named “Andrew.Sommer.zip.” I extracted 





the attachment and analyzed the contents of the .zip file. The attachment contains three files: 
“Andrew Sommer.pdf”,!’ “Andrew Sommer.pdf.sig”,”° and “Andrew Sommer.pdf.tar.asc”.”! 

62. “Andrew Sommer.pdf’ is a PDF of a letter addressed to Andrew Sommer 
purportedly signed by “THE PRESIDENT” and “THE SECRETARY” of HighSecured.com. The 
invoice number (“00649395”) referenced in the purported letter matches the invoice number in 
DEF_00051010, which I previously analyzed in Section I and, in my opinion, is a forgery derived 


from an unrelated invoice from 4Cabling for extension cables sent to Craig Wright on or about 


August 22, 2014. Additionally, the purported sum (“60,000 BTC”), contract number (“1566”), 


') DEF 01587954 
20 DEF 01587955 
21 DEF 01587956 
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payment date (“03/10/2014”), payment address”, and description of services listed in “Andrew 
Sommer.pdf”’ match the manipulated invoice in DEF_00051010. 

63. | extracted and analyzed the metadata from “Andrew Sommer.pdf.” (Ex. 83.) The 
metadata indicates the PDF was created on or about May 5, 2015 at 10:38:52 PM in a time zone 
consistent with eastern Australia (UTC+10). 

64. I reviewed “Andrew Sommer.pdf.sig” which appears to be a cryptographic 
signature of “Andrew Sommer.pdf.” I used GPG to verify the signature, and to extract metadata 
regarding the signature and the PGP public key used to create the signature. (Exs. 84-85.) 

65. The metadata indicates the signature was created using PGP public key ID 
5D303347E3C7665F, which is purportedly associated with info@highsecured.com (instead of 
‘iv i The PGP public key was created on or about November 10, 2010 at 
11:21:34 PM (UTC) according to the computer on which it was created. 

66. The metadata further indicates the signature was created on or about November 10, 
2010 at 11:31:02 PM (UTC) according to the computer on which it was created. In other words, 
the cryptographic signature of “Andrew Sommer.pdf” was purportedly created almost five years 
before the document itself was created and ten minutes after the key used to generate the PGP 
signature was created. It is not possible to create a signature of a document before the document 
to be signed exists. 

67. I also reviewed “Andrew Sommer.pdf.tar.asc” which is an encrypted .tar archive” 


that contains another copy of “Andrew Sommer.pdf.” (Ex. 86.) I verified that the MDS hash of the 


2 1HR42TZ27gSAQUiLEyT7bVThqi5ZbadVie 
°3 A tar archive, much like .zip files, is a compressed file containing one or more other files similar 
to .zip files. I decompressed the decrypted .tar archive using 7-zip 18.06. 
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extracted copy of “Andrew Sommer.pdf” matches that of DEF_01587954,”* which indicates the 
two documents are identical. The metadata associated with the PGP-encrypted archive indicates 
the archive was encrypted on or about May 6, 2015 at 12:35:02 AM (UTC). 

D. DEF_01222659 


68. I also reviewed DEF_01222659, which is an email purportedly from “Ritzela De 


Gracia <ritzeln to “Sommer, Andrew <<sommer i sent on 
or about May 27, 2015 at 10:35:55 AM (UTC). “<accouns i is CC’ed on the 


email. (Ex. 87.) 

69. The email attaches two files: “Invoice-00701208.pdf’> and “Invoice- 
00701208.pdf.sig.””° “Invoice-00701208.pdf” purports to be an invoice from HighSecured.com 
dated May 25, 2015. “Invoice-00701208.pdf.sig” is a cryptographic signature of the invoice. (Ex. 
88.) 

70; I extracted and analyzed the PDF metadata associated with “Invoice- 
00701208.pdf.” (Ex. 89.) The metadata indicates the PDF was created on or about May 27, 2015 
at 9:56:23 AM (UTC). The PDF was later modified at 8:04:16 PM in a time zone consistent with 
eastern Australia (UTC+10). 

as I compared MD5 hashes for “Invoice-00701208.pdf’? and DEF 00051013 and 
verified the files are identical.”” I previously analyzed DEF 00051013, which I determined to be 
manipulated and so “Invoice-00701208.pdf’ attached to DEF 01222659 is also a manipulated 


document. (Ex. 73.) Further, the metadata indicates the PDF was originally created using 


4 65 103068d9 1b86d0e3e1ea3246bc9208 
25 DEF 01222660 

26 DEF 01222661 

27 £292d946dcbbbed5 187427fbd7£0 1 Lec 
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“WHMCS,” which appears to be a reference to the same system used to create the manipulated 
HighSecured.com “Client Area” in DEF_01596539. 

7 Accordingly, it is my opinion that the foregoing emails produced by the Defendant 
purportedly from itzela not authentic emails from “Ritzela De Gracia” nor 
are they associated with HighSecured.com. 

XI. DEFAUS_01807944 


73. I reviewed DEFAUS_01807944, which is an email purportedly sent by 


“HighSecured <info to “asommer@claytonutz.com” on or about May 3, 
2015 at 1:41:00 AM (UTC). “craig. wright Gi “ramona wats (ian 


and “Ama. Synno( (i are CC’ed on the email. (Ex. 90.) 


74. The “From:” header purports to show the email was sent from 
“info@highsecured.com.” As noted in Section VII, the “From:” header can be manipulated to 
make it appear as if an email originated from a particular email address. If, however, the sender of 
the email manipulates the “From:” header to make it appear as if the email originated from an 
email address they do not control, the sender would not be able to receive any replies to that email. 


Tk In DEFAUS 01807944, however, the “Reply-To:” header contains the email 


address “DeGraciaRitzela ‘iv i Consequently, any replies to 


DEFAUS _01807944 would not go to “i but instead would be addressed 


76. I analyzed the series of “Received:” headers contained within DEFAUS_01807944. 


The “Received:” header on lines 19-20 of Exhibit 90 indicates the email was sent purportedly 
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using an email server that identified itself as “smtp.highsecured.com”®” 


which, according to lines 
15-18, was associated with the IP address 199.59.161.13 at the time the email was sent. 

Ths I reviewed the historical SPF records for HighSecured.com. (Ex. 91.) At the time 
DEFAUS_01807944 was sent, the following IP addresses were permitted to originate email from 
highsecured.com addresses: 192.184.8.9, 200.46.241.86, and 201.218.236.45. The IP address 
purportedly associated with “smtp.highsecured.com” (199.59.161.13) was not permitted to send 
email from hm. email addresses. 

78. I reviewed the historical subdomains associated with HighSecured.com. (Ex. 92.) 
While there was a record for “mail.highsecured.com,” I did not identify a record for 
“smtp.highsecured.com.” I reviewed historical records for IP addresses associated with 
“mail.highsecured.com.” The historical records were consistent with the SPF records of IP 
addresses allowed to originate email for iim email addresses and did not include 
the IP address 199.59.161.13 which was purportedly associated with “smtp.highsecured.com.” 
(Ex. 93.) 

79. The email content includes a cryptographically signed message. I used GnuPG to 
verify the signature and extract its metadata. (Ex. 94.) The metadata indicates the signature was 
created on or about May 3, 2015 at 1:36:33 AM (UTC) according to the computer on which it was 
created. The metadata further indicates the cryptographic signature was created using a public key 
purporting to belong to “Ritzela De Gracia <i ee 

80. The cryptographically signed message in DEFAUS_01807944 includes alleges that 


the Bitmessage address “BM-2cWjjZt7JKvnszN458cEiPi6XdkFrNL7E3” is “associated with 


8 The domain displayed in the “helo” field on line 16 of Exhibit 90 is supplied by the client and 
does not necessarily indicate the true domain name associated with the email server’s IP address. 
(see, for example, IETF RFC 821 Section 3.5). 
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HighSecured.” The same Bitmessage address was referenced in DEF_01591420 purportedly sent 
from “Ritzela De Gracia <i i on or about April 27, 2015. 

81. As noted previously, DEF_00247440 produced by the Defendant is a Bitmessage 
“keys.dat” file which contains the private key associated with the Bitmessage address referenced 
in DEFAUS 01807944 and DEF 01591420. Thus, the Defendant had the means to send 
Bitmessages from the address listed in DEFAUS_ 01807944 and, therefore, Bitmessages sent from 
that address could have been sent by the Defendant. 

82. Accordingly, it is my opinion that DEFAUS_01807944 is not an authentic email 
from “info @ com.” 

XII. DEF_01588028 


83. I reviewed DEF _ 01588028, which is an email purportedly from “HighSecured 


7 ff to “sone on or about May 3, 2015 at 2:16:22 
AM (UTC). ‘orig. wight and “ramona. watts (ia are CC’ed on 


the email. (Ex. 95.) 

84. As in DEFAUS 01807944, the “Reply-To:” header contains the email address 
“DeGraciaRitzela ive I also analyzed the “Received:” headers in 
DEF_01588028. The email was also purportedly sent via the same email server (199.59.161.13) 
as DEFAUS_ 01807944, which at the time DEF_ 01588028, was not permitted to send email from 
OR. ..2i: addresses. 

85. The email content includes a cryptographically signed message. I used GnuPG to 
verify the signature and extract its metadata. (Ex. 96.) The metadata indicates the signature was 


created on or about May 3, 2015 at 2:06:12 AM (UTC) according to the computer on which it was 
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created. The metadata further indicates the signature was created using a public key purporting to 
belong to “Ritzela De Gracia <i Oi 

86. The cryptographically signed message in DEF_01588028 is nearly identical to the 
purported letter addressed to Andrew Sommer in DEF_01587954, which I previously determined 
to reference a manipulated document (DEF_00051010) derived from an invoice for extension 
cables (DEF_01600654) from a company called 4Cabling sent to Craig Wright on or about August 
22, 2014 (DEF_01600652). 

87. Accordingly, it is my opinion that DEF_01588028 is not an authentic email from 
“info@highsecured.com.” 

XIII. DEF_01588060 

88. I reviewed DEF 01588060, which is an email purportedly from “HighSecured 
<d.rockwell to ‘sonnei sent on or about May 30, 2015 
at 5:39:00 AM (UTC). (Ex. 97.) 

89. As in DEFAUS_ 01807944 and DEF 01588028, the “Reply-To:” header contains 
the email address “DeGraciaRitzela «ive I also analyzed the “Received:” 
headers in DEF 01588060. The email was also purportedly sent via the same email server 
(199.59.161.13) as DEFAUS_01807944 and DEF_01588028, which at the time DEF_01588060, 
was not permitted to send email from it email addresses. 

90. The email content includes a cryptographically signed message. I used GnuPG to 
verify the signature and extract its metadata. (Ex. 98.) The GnuPG output indicates the signature 
is invalid, which suggests either the content or the signature itself had been modified after the 


signature was created. 
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91. The metadata indicates the signature was created on or about May 30, 2015 at 
5:26:31 AM (UTC). The metadata also indicates the public key used to create the cryptographic 
signature in DEF 01588060 is the same _ public key purportedly belonging to 
mo that was used to create the cryptographic signature in DEF_01587955 
purportedly in 2010 of a document that did not exist until 2015. 

92. Accordingly, it is my opinion that DEF 01588060 is not an authentic email from 
“<.rockwell 

XIV. DEF_00065561 

93. [reviewed DEF_00065561, which is a PDF of a scan of a purported “Incorporation 
Form” for Abacus Seychelles dated July 27, 2011. 

94. _ | extracted and analyzed the metadata contained within DEF 00065561. (Exs. 99- 
100.) The metadata indicates the PDF was created on or about October 17, 2014 at 1:16:07 PM in 
a time zone associated with eastern Australia (UTC+10).7° The metadata further indicates that 
pages 3, 4, and 5 of the PDF were later modified on or about November 24, 2015 at 3:59:01 PM 
in a time zone consistent with eastern Australia (UTC+11). I also analyzed the internal structure 
of DEF 00065561. (Exs. 101-103.) I identified TouchUp_ TextEdit markers indicating the text 
within the document had been modified. 

95. I identified DEF 00053349, which is another PDF of the “Incorporation Form” 
dated October 17, 2014. I extracted and analyzed the metadata contained within DEF 00053349. 
(Ex. 104.) The metadata indicates the PDF was created on or about October 17, 2014 at 1:16:07 


PM in a time zone associated with eastern Australia (UTC+10)—the exact same time as 


°° T note that on October 17, 2014, the correct time zone in New South Wales and other eastern 
Australian states and territories was UTC+11. (Ex. 108.) 
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DEF _ 00065561. Further, I determined the file identifiers contained within DEF_00065561 and 
DEF _00053349 indicate they are two versions of the same document. (Exs. 105 and 106, 
respectively.) 


96. I also identified DEFAUS_ 00519642, which is an email sent from “Viveca 
Magnusson <viveca.magnusson (iii to “Craig S Wright 
<craig. wight aa on or about October 16, 2014 at 9:18:23 PM (UTC-5). (Ex. 107.) 


The subject of the email is “Scanned copy of Abacus Incorporation From (sic).” The email includes 
an attached file “Abacus Incorporation Form.pdf,” the MD5 hash of which is identical to that of 
DEF _00053349.*° 

97. Accordingly, it is my opinion that DEF_00065561 is not an authentic document, 
but instead has been manipulated. 

XV. DEFAUS_ 00065535 

98. I reviewed DEFAUS_ 00065535, which is a PDF of a purported “Declaration of 
Trust” dated July 21, 2011. 

99. I extracted and analyzed the metadata contained within DEFAUS_ 00065535. (Exs. 
109-110.) The metadata indicates the PDF was created on or about October 23, 2014 at 5:44:59 
(UTC+4). The metadata further indicates the PDF was later modified on or about November 24, 
2015 at 4:08:57 PM ina time zone consistent with eastern Australia (UTC+11). I also analyzed 
the internal structure of DEFAUS_ 00065535. (Ex. 111.) I identified TouchUp_TextEdit markers 
indicating the text within the document had been modified. 

100. I identified DEFAUS_ 01808571, which is another PDF of the “Declaration of 


Trust” document dated July 21, 2011, but with a different address for Craig Steven Wright. I 


3° 7133a8b5c478108efc4255c9fa5b561 1 
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extracted and analyzed the metadata contained within DEFAUS_ 01808571. (Ex. 112.) The 
metadata indicates the PDF was created on or about October 23, 2014 at 5:44:59 (UTC+4)—the 
exact same time as DEFAUS_ 00065535. Further, I determined the file identifiers contained within 
DEFAUS_00065535 and DEFAUS 01808571 indicate they are two versions of the same 
document. (Exs. 113 and 114, respectively.) 

101.  Lalso identified DEFAUS_00519977, which is another PDF of the “Declaration of 
Trust” document dated July 21, 2011, but with another different address for Craig Steven Wright. 
I extracted and analyzed the metadata contained within DEFAUS_ 00519977. (Ex. 115.) The 
metadata indicates the document was created by “Craig S. Wright” using “Microsoft Word 2013” 
on or about November 6, 2014 at 4:12:59 PM in a time zone consistent with eastern Australia 
(UTC+11). The file identifiers contained within DEFAUS_00519977 indicate it is a distinct 
document from DEFAUS_00065535 and DEFAUS_01808571. (Ex. 116.) 

102. Accordingly, it is my opinion that DEFAUS_00065535 is not an authentic 
document, but instead has been manipulated. 

XVI. DEF_01839995 

103. I reviewed DEF 01839995, which is a Microsoft Word “.doc” file containing a 
document titled “BitCoin: SEIR-C propagation models of block and transaction dissemination.” 

104. I reviewed the document properties using Microsoft Word. (Ex. 117.) The 
document was purported created on or about October 12, 2008 and last modified on or about 
December 22, 2008. I also examined the document properties using olefile.*! (Ex. 118.) The output 


from olefile is consistent with the properties display by Microsoft Word. 


31 J used the olefile script included in oletools-0.55. 
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105. [reviewed the contents of DEF 01839995 using a hex editor. I identified multiple 
references to websites that appear to have not been created until 2013 and which are not visible 
when viewing the document in Microsoft Word. (Exs. 119-120.) The references also indicate the 
websites were accessed in January 2014. The references also include the statement, “It should be 
noted that the rate of creation of 12.5 new Bitcoin is current rate at the time of this paper, and it is 
understood that the Bitcoin algorithm is designed to reduce that rate over time.” 

106. Accordingly, it is my opinion that DEF_01839995 is not an authentic document, 
but instead has been manipulated. 

XVI. METANET-ICU.SLACK.COM 

107. Counsel for Plaintiffs provided me with a username and password to access the 
metanet-icu.slack.com Slack workspace*” and asked that I collect screenshots of certain Slack 
messages and threads, which I have attached at Exhibit 121. In particular, I accessed the relevant 
Slack workspace using Google Chrome and the Slack desktop client for Microsoft Windows. The 
screenshots were taken by me on April 8-9, 2020 with Snagit 2020.1.1, which is a tool for capturing 
screenshots and which has been used by me and others in my field for such purposes. 

XVIII. DEF_00239622 


108. I reviewed DEF 00239622, which is an email from “Craig S Wright 


<rig to “invoices <invoices Tt sent on or about December 5, 2014. 
The email forwards an auction invoice previously sent to ‘ni 


109. I previously reviewed DEF 00013459, which is a PDF of an email sent from 


craig @ i craig @ and modified to make it appear as if the 


3? Slack is a proprietary and commercially available instant messaging platform with features 
similar to a chat room (or “channel’”). A Slack “workspace” is, essentially, a collection of Slack 
channels. 
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email was sent from “Dave Kleiman” to “Craig S Wright.” I extracted and analyzed the mail 
transport headers from DEF 00239622. (Ex. 122.) The mail transport headers indicate 
DEF _00239622 was sent from a client with the same computer name (“PCCSWO0O1”) and IP 
address (““14.1.18.30”) as the purported email in DEF_00013459. 

110. I also identified DEF 00169220, DEF_00171109, DEF 00239037, and 
DEF _00239621, which are also emails sent from “PCCSW01” with IP address 14.1.18.30. (Exs. 
124-127.) I also identified DEF 00013675, DEF_00238089, DEF 00762765, DEF_762940, 
DEF _00763043, DEF_01220321, DEF_01590839, DEF 01599641, DEF_01600410, 
DEF_01618590, and DEF_01674223, which are also emails sent from “PCCSW0O1.” (Exs. 128- 


138.) 


Dated: April 10, 2020 


Ap orm_ 


Dr. Matthew J. Edman 
New York, NY 
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